Closed Bug 1835193 Opened 2 years ago Closed 1 year ago

Socket and utility process sandbox policies allow stat()ing any file

Categories

(Core :: Security: Process Sandboxing, defect, P1)

Product:
Core
Component:
Security: Process Sandboxing
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
134 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr128 --- wontfix
firefox132 --- wontfix
firefox133 --- wontfix
firefox134 --- fixed

People

(Reporter: jld, Assigned: gerard-majax)

References

Details

(Keywords: csectype-disclosure, sec-low, Whiteboard: [adv-main134+r])

Attachments

(1 file, 2 obsolete files)

Bug 1835193 - Remove AddTree and rename AddDir to AddTree r?jld!
48 bytes, text/x-phabricator-request
Details | Review

While reviewing a patch, I noticed these existing lines of SandboxBrokerPolicyFactory.cpp where we use AddDir to grant MAY_ACCESS to everything under /, recursively. This won't allow opening files or directories, but it will allow calling stat on any file; I've verified this by injecting function calls with gdb.

The documented intent there was just to allow stating the / directory itself; i.e., it should have used AddPath. I think that part of the problem here (and the other patch I was looking at seemed to have a similar issue) is that the name AddDir sort of looks like it's for granting access to just a directory, and not the entire subtree. It might make sense to rename that to AddTree or something like that that's clearer about what it does, and rename the old AddTree (which dates back to when the policy was a hashtable of exact paths with no recursive rules or elaborate realpath logic, and was originally targeted at B2G where OS files were more static) to AddTreeStatic or something — or maybe even remove it, because it's currently unused and I'm having trouble thinking of a situation on desktop Linux where we'd want it.

That renaming could be done separately. Doing both changes in the same patch would help make the security bug less obvious, but I don't know if the severity of this bug is high enough to justify worrying about early disclosure like that.

Group: core-security → dom-core-security
Severity: -- → S2
Priority: -- → P1
See Also: → 1848615
Assignee: nobody → lissyx+mozillians
Attached file WIP: Bug 1835193 - Remove old AddTree (obsolete) —
Attached file WIP: Bug 1835193 - Remove old AddTree (obsolete) —
Attachment #9438552 - Attachment is obsolete: true
Attachment #9438535 - Attachment is obsolete: true
Pushed by alissy@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/0341ac8af840 Remove AddTree and rename AddDir to AddTree r=jld

https://hg.mozilla.org/mozilla-central/rev/0341ac8af840

Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox134: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 134 Branch
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Whiteboard: [adv-main134+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: